Submit Feedback

Configuring the JWT Bearer Flow

To use JWT Bearer as a grant type in Liferay, you must create an OAuth 2 client with the Client Authentication Method set to Client Secret Basic or Post. The client must send its client ID and secret along with an assertion and grant type in return for a Liferay access token.

To validate the assertion, you must configure an incoming assertion issuer in Liferay. This is to form a trust relationship between Liferay (the Relying Party) and the issuer (the Token Service). See Assertion as Authorization Grant

  1. Open the Global Menu (Applications Menu icon) and navigate to Control PanelInstance Settings.

  2. In the OAuth 2 Incoming Assertion Configuration, click Add.

  3. Enter the name of the issuer, a JSON web key set, and the user authentication type.

    Enter details for the issuer, JWKS, and user authentication type.

  4. Click Save.

The issuer value should be equal to the iss value in the issuer’s JWT assertion. The user authentication type value must match the sub value in the JWT assertion. You may need additional configuration in your token service to map these values.

The JSON web key set is usually available at the JWKS URI of your token service. For instance, if you’re using Keycloak, the JWKS URI is available at

http://{hostname}/realms/{realm_name}/protocol/openid-connect/certs

Enabling the JWT Bearer Flow

After configuring the incoming assertion issuer, ensure you’ve enabled the JWT Bearer flow for your client.

  1. Open the Global Menu (Applications Menu icon) and navigate to Control PanelOAuth 2 Administration.

  2. Select your OAuth 2 client and scroll down to Allowed Authorization Types.

  3. Check the JWT_BEARER checkbox.

  4. Click Save.

Getting an Access Token from Liferay

Once you’ve configured an incoming assertion issuer and enabled the JWT_BEARER flow for your client, you can start getting access tokens from Liferay.

If you’re using a confidential client, you must initiate a POST request to Liferay’s token URL https://{hostname}/o/oauth2/token with the following parameters in the body (encoded as application/x-www-form-urlencoded):

client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRET
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=JWT assertion from the token service

Below is a sample token request made to Liferay using a JWT assertion from Keycloak. Keycloak is configured as an incoming assertion issuer in Liferay.

Liferay issues an access token for the JWT Bearer flow.

Capability:
Platform
Resource Type:
Official Documentation
Feature:
Identity Management and Authentication
Multi-Channel Experiences (Headless Delivery)
Deployment Approach:
Liferay PaaS
Liferay SaaS
Liferay Self-Hosted

Capabilities

Product

Education

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy